LINUX HAS MORE FLAWS THAN WINDOWS

The Inquirer ^ | 1/6/06 | Nick Farrell

[cabojoe]

THE UNITED STATES Computer Emergency Readiness Team (CERT) has prepared a report for the government that claims that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.

Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.

The Cyber Security Bulletin 2005, said that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs.

The remaining 2,058 were multiple operating system vulnerabilities. It is possible to hear the sounds of the provisional wing of the Linux and Apple glee clubs strapping cyber explosives to their belts at the announcement.

It seems that the figures prove the impression of many in the security industry that the only reason Windows boxes get turned over the most is because there are more of them.

CERT's figures did not include figures for how quickly vulnerabilities are patched once they are discovered. You can have a look at the report here. And flame CERT not us. µ

[Bush2000]

Because it was a lazy hit piece

Awwwwww. Somebody's got his panties in a knot because he doesn't like reality...

[N3WBI3]

if you are to obtuse to see this article for what it was there is no point arguing with you. You have both made my point and proven what a partisan you are in 13 words... Thanks..

[gondramB]

I think my analysis is sufficiently rigorous since the flaws listed for Linux and UNIX did not have to be found in all versions.

As for the use of the word "safest" I admit to being influenced by other articles on this topic.

[N3WBI3]

I don't know the statement:

the only reason Windows boxes get turned over the most is because there are more of them.

would seem to indicate structurally windows is more secure (read safe) than Linux...

[zeugma]

Brag to who? The 3% that use it? Why bother.

One would assume that they would be bragging about it to the other folks who write such malware.

[Bush2000]

I think my analysis is sufficiently rigorous since the flaws listed for Linux and UNIX did not have to be found in all versions.

Even excluding the software that isn't present in both Linux and UNIX, Linux still has more vulnerabilities.

[Bush2000]

Yeah, yeah, yeah. We both know how this game is played by you guys. Next, you'll be asserting that anything that isn't specifically part of the kernel isn't part of "Linux". ie. You want to tar M$ for vulnerabilities which aren't part of its kernel -- but avoid the same vulnerabilities in software shipped with Linux distros.

[Bush2000]

One would assume that they would be bragging about it to the other folks who write such malware.

I dunno. I'd suggest that bragging rights would be greater by trying to hit the most desktop computers possible. And I say "desktops" because they are the most visible to human beings. Hence, more recognizable as being damaged.

[Bush2000]

would seem to indicate structurally windows is more secure (read safe) than Linux...

Except the dynamic isn't purely structural. It's statistical. There are simply more Windows boxes.

[N3WBI3]

Next, you'll be asserting that anything that isn't specifically part of the kernel isn't part of "Linux"

Hmmm which is a more reasonable position? claiming that it needs to be the kernel and core libraries to be Linux or the one you are defending that considers OSX, Solaris, HP-UX, AIX, IRIX, ... part of 'Linux'?

You want to tar M$ for vulnerabilities which aren't part of its kernel

I'm more than willing to look at Libraries and core programs in Linux however Darwin is not one of them...

[N3WBI3]

Yes when you count one kernel vulnerability ten times for the different distros, or count things like gimp and apache as 'Linux'... You work with crap numbers like some artist work with oils... kudos..

[N3WBI3]

Oh yea hacking 10,000 Senior citizens computers not protected by anything is a way bigger claim to fame than taking out a few of the root DNS servers..

[zeugma]

Hmmm which is a more reasonable position? claiming that it needs to be the kernel and core libraries to be Linux or the one you are defending that considers OSX, Solaris, HP-UX, AIX, IRIX, ... part of 'Linux'?

I think it's funny that they'll use one of these vulnerability tallying survesy as a basis for much of anything. Normally, they claim that Linux = the Linux Kernel + everything that might be included in a distribution. This is the first time I've seen them try to claim that Linux = all software that can run on *nix platforms.

The really funny thing, is they expect us to take them seriously when they compare this kind of tally of vulnerabilities reported in even a single distribution like RedHat (and all accompanying software), against a base windows OS install that includes nothing that you need to be able to actually make a computer do anything useful other than a web browser. I guess I'd be resentful if I paid that much cash for a crap OS, then have to shell out even more bucks to make it much more than an inefficient heater.

[zeugma]

Oh yea hacking 10,000 Senior citizens computers not protected by anything is a way bigger claim to fame than taking out a few of the root DNS servers..

Watch it now. You're attempting to use logic against him. That does not work here.

Also, I notice how convieniently this kind of article distracts people from the huge hole that had to be taken care of by third parties before microsoft could even formulate a press release.

[Bush2000]

Hmmm which is a more reasonable position? claiming that it needs to be the kernel and core libraries to be Linux or the one you are defending that considers OSX, Solaris, HP-UX, AIX, IRIX, ... part of 'Linux'?

I would argue that anything which is common is fair game. And that covers a LOT of ground.

I'm more than willing to look at Libraries and core programs in Linux however Darwin is not one of them...

The trouble with your position is that (1) Linux distros come with a lot more code than just a kernel and some libraries, (2) Linux distros vary considerably, (3) users install that additional code as a matter of making the OS useful to them, and (4) you guys have a long history of tarring Windows because of flaws in applications shipped with Windows.

[Bush2000]

Yes when you count one kernel vulnerability ten times for the different distros,

Where has CERT done that?

... or count things like gimp and apache as 'Linux'...

Like it or not, things distributed with Linux are "Linux" -- just as things distributed with Windows are "Windows".

[N3WBI3]

I would argue that anything which is common is fair game. And that covers a LOT of ground.

Including other UNIX operating systems? even you have to admit that makes a Linux Windows comparison pretty pointless

(1) Linux distros come with a lot more code than just a kernel and some libraries

Umm not all some like Damn Small Linux are very pared down but can you agree as windows does not have a native utility to zip files that the bzip2 bugs should not count?

Linux distros vary considerably

Yes I agree buts its odd youll stress how much they vary when you just made an iron clad statement about what they do and do not come with!

users install that additional code as a matter of making the OS useful to them

This is also true of windows yet you only want to talk about the vanilla install

you guys have a long history of tarring Windows because of flaws in applications shipped with Windows.

I tar MS for flaws with ie, iis, and others (because they are MS products) but I dont recall attacking wnidows because of an apache bug, or a security isse with third party software..

[ShadowAce]

Yes when you count one kernel vulnerability ten times for the different distros,

Where has CERT done that?

According to this article on ZDNet, the first ten *nix postings contain 3 duplicates, with a total of 1442 duplicates (62%).

Also, it is claimed that there are quite a few postings that don't even belong there--such as the Debian lintian Insecure Temporary File, as this was discovered, discussed, and corrected in the year before it was reported.

[Bush2000]

Oh yea hacking 10,000 Senior citizens computers not protected by anything is a way bigger claim to fame than taking out a few of the root DNS servers..

"The importance of the root servers has been overstated," Cohn said, arguing that their core functions could be rebuilt within hours. "This attack shows that it's possible to wreak havoc among a few hundred technical people who have to batten down the hatches...But there have been no serious negative consequences."

[Bush2000]

This is the first time I've seen them try to claim that Linux = all software that can run on *nix platforms.

Who's "them"? Some kind of "vast right wing M$ conspiracy?" LMFAO! Oh, I get it. CERT is now bought and paid for, right? You guys are hilarious...